from lib.cuckoo.common.abstracts import Signature


class TamperVBSetting(Signature):
    name = "tamper_vb_setting"
    description = "Attempt to tamper with VB and VBA setting information."
    severity = 3
    categories = ["reg"]
    authors = ["xuhy"]
    minimum = "2.0"

    regkeys_re = [
        ".*\\\\(SOFTWARE|Software)\\\\VB and VBA Program Settings\\\\HAVRESU\\\\UNAMENABLESTABEJSE",
    ]

    dlls_re = [
        ".*(MSCTF|VERSION).(dll|DLL)?",
    ]

    def on_complete(self):
        for indicator in self.regkeys_re:
            for regkey in self.check_key(pattern=indicator, regex=True, all=True):
                self.mark_ioc("registry", regkey)
        for dll_re in self.dlls_re:
            for dll in self.check_dll_loaded(pattern=dll_re, regex=True, all=True):
                self.mark_ioc("dll", dll)
        return self.has_marks()
